New ionCube Malware threatening WordPress users

Security researchers at SiteLock have recently discovered a sneaky new malware strain threatening WordPress and Joomla admins. The malware strain is masquerading as legitimate ionCube files and was named ionCube Malware. Cybercriminals use ionCube Malware to establish backdoors on unsecured and vulnerable sites that enable them to kidnap information or spread more malware.

The malware was discovered on more than 800 small and medium business websites that run CMS platforms such as WordPress, Joomla, and, Codelgniter. According to SiteLock, this is a unique method to steal data and spread more malware, because ionCube Malware is encoded and formatted to look like a legitimate ionCube file.

Originally, ionCube was a commercial PHP scrambler and typically not used for malicious purposes. IonCube is used to turn text-based PHP files into an undecipherable code in order to conceal the intellectual property associated with licensed PHP files.

Weston Henry, the lead research analyst at SiteLock, noted that the ionCube Malware has similar specifications to malicious base64 encoded PHP eval requests that are able to target site PHP features and conceal malicious CMS plugins. Eval is a PHP function often used by cybercriminals to create site backdoors because it is able to execute arbitrary PHP code.[1]

This specific tactic we have never seen before. We have seen a ton of malware samples that have tried to look like specific Joomla or WordPress files. But ionCube is a legitimate encoding and encrypting tool. So when bad guys obfuscate malware inside fake ionCube files, it amounts to creating eval backdoor access to a website.

It is still not clear how the 800 websites got infected with the malware. However, the researcher that the ionCube Malware infections are linked to the use of outdated CMS plugins or platforms software.

W. Henry wrote that “From what we’ve seen, there’s no reason to think that this (malware) couldn’t impact any site that had a vulnerability that a bad actor could identify and compromise. This is particularly hard to identify, especially for any site that might already be using ionCube services”

It was also noted that detected malware samples were found in the WordPress core directories and named “diff98.php” and “wrgcduzk.php”. In addition, according to the investigation, malicious ionCube file code include minor differences, such as a bogus “il_exec” line, while legit8imate line should be “_il_exec”.

The findings of the investigation revealed that there is a link from every legitimate ionCube file to the ionCube.com name, however, malicious files do not have this link.[2]

“Also notice that the fake file has a code block after the PHP closing tags, much like the legitimate ionCube file. But unlike the real file, this code block consists only of alphanumeric characters and newlines,” W. Henry wrote in the SiteLock blog.

As for remission, users should scrutinize ionCuve files more heavily and update all CMS plugins and software.

About the author

Gabriel E. Hall
- Antivirus software specialist

Gabriel E. Hall is an antivirus software specialist at Reviewedbypro.com.